From ede8255be290f353c22129e01ef2346e6b706de0 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Thu, 19 Feb 2026 07:24:48 -0800 Subject: [PATCH] Fix 1Password secret tasks always reporting changed in ringtail playbook Replace `changed_when: true` with output inspection so the tasks correctly report unchanged when the secret content hasn't changed. Co-Authored-By: Claude Opus 4.6 --- ansible/playbooks/ringtail.yml | 6 ++++-- .../fix-ringtail-1password-secrets-idempotent.bugfix.md | 1 + 2 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 docs/changelog.d/fix-ringtail-1password-secrets-idempotent.bugfix.md diff --git a/ansible/playbooks/ringtail.yml b/ansible/playbooks/ringtail.yml index 74c4f54..b05d67a 100644 --- a/ansible/playbooks/ringtail.yml +++ b/ansible/playbooks/ringtail.yml @@ -100,7 +100,8 @@ --from-literal=1password-credentials.json='{{ _op_credentials.stdout }}' \ --dry-run=client -o yaml | k3s kubectl apply -f - executable: /run/current-system/sw/bin/bash - changed_when: true + register: _op_credentials_apply + changed_when: "'configured' in _op_credentials_apply.stdout or 'created' in _op_credentials_apply.stdout" no_log: true - name: Create or update onepassword-token secret @@ -112,5 +113,6 @@ --from-literal=token={{ _op_token.stdout }} \ --dry-run=client -o yaml | k3s kubectl apply -f - executable: /run/current-system/sw/bin/bash - changed_when: true + register: _op_token_apply + changed_when: "'configured' in _op_token_apply.stdout or 'created' in _op_token_apply.stdout" no_log: true diff --git a/docs/changelog.d/fix-ringtail-1password-secrets-idempotent.bugfix.md b/docs/changelog.d/fix-ringtail-1password-secrets-idempotent.bugfix.md new file mode 100644 index 0000000..6269f2d --- /dev/null +++ b/docs/changelog.d/fix-ringtail-1password-secrets-idempotent.bugfix.md @@ -0,0 +1 @@ +Make 1Password secret tasks in ringtail playbook idempotent by checking kubectl apply output instead of always reporting changed.